There is only one week left before the GDPR becomes enforceable within the European Union (EU). MarTech companies across the globe are scrambling to make sure they are compliant with the new regulation requirements before May 25th. The question now is how this new regulation will affect MarTech companies and the marketing industry at large?
In the following article we will dissect what the GDPR entails, how MarTech companies are seeking to comply with the changes, the general impact on marketing practice across the globe and how your company can prepare itself.
What is the GDPR?
The GDPR is a regulation in EU law relating to data protection and privacy for individuals within the European Union. The regulation also covers the export of personal data outside of the EU. The consequence of these changes are that citizens of the EU will have greater personal control over their own data. These changes will also hopefully simplify the current international regulatory environment.
After four years of debate, the GDPR was approved by EU parliament on April 14th 2016. Heavy fines may be enforced if organisations are not compliant by May 25th 2018.
The GDPR will be replacing the existing 1995 Data Protection Directive. Unlike the previous directive, the upcoming regulation does not require any legislation by national governments in order to be binding or applicable.
The EU has officially stated that, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Breaking Down The GDPR
The GDPR is not a toothless regulation, it has the power to bankrupt organisations by hitting companies with fines as steep as 4% of all global revenue. Even if you are a smaller company that doesn’t deal with European consumers, data can travel quite easily. Whilst you may block EU users altogether, many companies are instead looking to make sure they are compliant.
In brief, there are three ways that organisations can comply with the new requirements: pseudonymization, encryption and anonymization.
- Pseudonymization – Reorganising the components of data so that they are indecipherable unless put back together.
- Encryption – Converting data into a code so as to prevent unauthorised access.
- Anonymization – Removing any personal identifiable information so that data cannot be traced back to individuals.
Users must also have access and control over their data if being stored by a company. Any time data is generated, procured or collected there must also be very clear affirmations of consent. Users must know at all times when and where their data is being used.
These protections are specifically important in relation to protecting the personal information of children under the age of 16. The GDPR makes specific mention of parental consent where the storage of a child’s personal information is involved.
What are MarTech companies doing to comply?
The GDPR broadens the definition of personal data to include cookies, hashed email addresses and pseudonymous data. These types of data are oxygen to MarTech companies, and other marketing cloud and data software companies.
As a result, many MarTech companies have been preparing for these changes by mapping out the way data is collected and disseminated throughout their organisation.
Software as a Service (SaaS) marketing automation companies, like Marketo and ActiveCampaign, are being required to audit their data practices. The GDPR also stipulates that these software companies must assist businesses to be compliant.
Account-based marketing companies, such as Demandbase, are developing their software services to handle personal data requests. Demandbase’s first Chief Privacy Officer, Fatima Khan, has said, “we’re in the process of finalising an API build that will allow us to get data on an individual and return it to that individual if requested.”
Salesforce’s B2B marketing automation tool, Pardot, now comes with the option for customers to delete their own personal data. These changes are being employed across all of Salesforce’s services.
Despite the efforts being made by the MarTech industry, we will have to wait till May 25th to see if these steps are adequate. As Mr Khan has said in an interview with the AdExchanger, “What is clear is that the industry is woke. But is what they’re doing sufficient? I’m not sure anybody has the definitive answer on that just yet.”
How will the GDPR affect the MarTech industry?
Many are theorising that the costs associated with complying with the GDPR may shut out many smaller MarTech businesses from the market. Marketing technology consultant and analyst, David Raab has predicted that ‘the GDPR will have a more direct impact on AdTech than MarTech.’
He also theorised that the introduction of the GDPR could trigger a global change in privacy and data protection law.
“It looks like most firms are planning to apply GDPR standards worldwide, if only because that’s so much easier than applying different rules to EU vs non-EU persons,” says Mr. Raab.
Popular Myths and Misconceptions
New changes being introduced by the GDPR have raised several concerns amongst marketers and those within the MarTech industry. As with any new regulation, there are plenty of misconceptions being floated around. Below we have mentioned a few of the more popular, and problematic, ones:
Myth #1: The GDPR only applies to companies within the EU, it does not affect Australian businesses.
The GDPR protects the personal data of all EU citizens. The geographic location of the company extracting that data does not matter. If you are an Australian business exporting data from EU users, you will need to comply.
Myth #2: If you are small business the GDPR does not apply.
The GDPR applies to all organisations no matter how big or small.
Myth #3: Personal data is only data that has been provided by users.
Any data collected or generated relating to a user within the EU must be handled in accordance with the GDPR to avoid facing fines.
Myth #4: ‘Legitimate interest’ can be used as an excuse to use personal data without consent.
The term ‘legitimate interest’ is used within the GDPR document to specify a case where data could be used to protect a vital interest (such as human rights). Companies are unlikely to be able to justify their actions using ‘legitimate interest’ if their users have simply agreed to receiving marketing information.
Five Ways Marketers Should Prepare for the GDPR
Given the gravity of the GDPR, it is important that businesses that handle data should take appropriate steps to ensure that they are complying with the changes. Below are five steps we would recommend companies employ in order to be on the right side of data privacy compliance:
1. Get your Marketing and IT departments working closely together.
Any Marketing department or agency using MarTech software will want to work closely with their IT departments to make sure that they are on the proper side of compliance and avoid any cyber-security threats. Securing personal data within organisations will be a high priority for businesses over the next decade.
2. Make sure staff are aware of the GDPR.
The best way to avoid issues within your company is to inform your staff of the changes to handling personal data. Any staff that interact with customers, engage in data entry or use CRM software, will need to be informed of the limitations of personal data storage and usage.
3. Assign somebody to overlook Data Protection within your organisation.
Protecting data from cyber-threats and maintaining compliance of the handling of personal data will become an important part of any business within the next decade. By assigning these duties to someone within your organisation, or hiring an officer to make sure data compliance is adhered to, you are well-positioned to avoid fines or prosecution.
4. Do an audit of all your current data systems.
Checking the security of personal data stored in your current data systems is crucial. Know what data you have and how it is being protected. This is a task that can be directed to a Data Protection Officer.
5. Avoid third-parties that are not complying with the GDPR.
Whether this is your email provider, CRM software system, or even other outsourced agencies, you will want to make sure that you don’t get embroiled in other companies conducting poor practice. If the companies you work with are compliant with the GDPR, you are in a safe position.
In this article, we have covered many of the ways that the GDPR is looking to affect MarTech companies, and the ways marketers can prepare themselves for the changes. The introduction of the GDPR could mark a new era of the digital age, whereby privacy and protection of data are paramount.
For the moment the regulations introduced by the GDPR only affect EU citizens. Could we see the same changes being employed in other countries, most notably here in Australia? The answer is probably yes, it is only a matter of time.
Preparing for these changes today will secure your business into the future. More importantly, giving your users control over their data will build trust. Gaining the trust of your stakeholders is invaluable.
For more information about handling data within your organisation, and developing effective and compliant marketing strategies, please feel free to contact The Lead Agency today by calling 1300 146 375 or filling out the contact form below.